Presentation is loading. Please wait.

Presentation is loading. Please wait.

Draft-kwatsen-netconf-zerotouch-00 Zero Touch Provisioning for NETCONF Call Home.

Published byAbner Lee Modified over 7 years ago

Similar presentations

Presentation on theme: "Draft-kwatsen-netconf-zerotouch-00 Zero Touch Provisioning for NETCONF Call Home."— Presentation transcript:

1 draft-kwatsen-netconf-zerotouch-00 Zero Touch Provisioning for NETCONF Call Home

2 Introduction Zero Touch is a strategy for how to establish a secure network management relationship between a newly delivered network element, configured with just its factory default settings, and the new owner's NMS. 2

3 Goals Security – MUST implement vs MUST use (RFC 3365) Flexibility – Works on SP networks, even if behind a firewall Ease of Use – Play-n-play for Installer (“zero” means zero!) Device Cost – Mild (COGS + development effort) 3

4 Proposal illustrated in following slides 4

5 Device State Precondition +--------------------------------+ | | | +----------------------+ | | | | | | | device private key | | | | device certificate | | | +----------------------+ | | | | FQDN of vendor's DNS server | +--------------------------------+ 5 Serial Number Signed by certificate with chain of trust to Vendor’s well-known CA

6 Vendor's DNS Server State +-------------------------------------------------+ | | |. | | - FQDN of NMS to connect to | | - flag indicating if SSH or TLS | | - username NMS will login using | | - NMS's auth credentials | | | +-------------------------------------------------+ 6 State initialized through a vendor-hosted interface

7 ZeroTouch Sequence Diagram DEVICE LOCAL DHCP LOCAL DNS VENDOR'S DNS NMS | SERVER SERVER SERVER (DNSSEC) | | | | | | |------------>| | | | | Lease IP | | | | | | | | | |------------------------------->| | | | Lookup vendor's DNS server | | | | | | | | |---------------------------------------------->| | | Lookup. | | | | | | | |------------------------------->| | | | Lookup NMS IP address | | | | | | | | |------------------------------------------------------------->| | Reverse SSH or Reverse TLS | | | | | | | | 7

8 NMS State Precondition +----------------------------------------+ | | | vendor's trusted CA certificate | | serial numbers for expected devices | | username to log into devices with | | auth credentials to log into devices | | | +----------------------------------------+ 8 NMS needs CA cert and serial-numbers from Vendor

9 Supporting Private Networks Potential alternatives to source information: – Impersonate vendor’s DNS server – DHCP (susceptible to a MITM attack?) – USB flash drive – Near-field wireless 9 Or just to avoid doing a lookup in the vendor’s DNS server?

10 Security Considerations Long-lived certificates Vendor may reveal NMS locations Serial Number in certificate 10

11 IANA Considerations None 11

12 Open Issues DNSSEC doesn't currently allow client certificates Should DNS record provide SSH-specific information? Standardize REST API used to set DNS record info? Not in -00 draft: Use something besides DNS? (e.g. HTTPS) 12

13 Questions / Concerns ? 13

Download ppt "Draft-kwatsen-netconf-zerotouch-00 Zero Touch Provisioning for NETCONF Call Home."

Similar presentations

Www.opendaylight.org Secure Network Bootstrapping Infrastructure May 15, 2014.

Secure Network Bootstrapping Infrastructure May 15, 2014.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Zero Touch Provisioning for NETCONF/RESTCONF Call Home draft-ietf-netconf-zerotouch-02 NETCONF WG IETF #92 Dallas, TX, USA.

Zero Touch Provisioning for NETCONF/RESTCONF Call Home draft-ietf-netconf-zerotouch-02 NETCONF WG IETF #92 Dallas, TX, USA.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Wireless Technologies Networking for Home and Small Businesses – Chapter 7.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Wireless Technologies Networking for Home and Small Businesses – Chapter 7.
TCP/IP Addressing Design. Objectives Choose an appropriate IP addressing scheme based on business and technical requirements Identify IP addressing problems.

TCP/IP Addressing Design. Objectives Choose an appropriate IP addressing scheme based on business and technical requirements Identify IP addressing problems.
Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.

Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.
PKI Network Authentication Dartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27, 2005.

PKI Network Authentication Dartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27, 2005.
Bootstrapping Key Infrastructures Max Pritikin IETF 91, 10 Nov 2014 Aloha!

Bootstrapping Key Infrastructures Max Pritikin IETF 91, 10 Nov 2014 Aloha!
Installing a DHCP Server role on Windows Server 2008 R2 in a home network. This is intended as a guide to install the DHCP role on a Domain Controller.

Installing a DHCP Server role on Windows Server 2008 R2 in a home network. This is intended as a guide to install the DHCP role on a Domain Controller.
NETCONF Server and RESTCONF Server Configuration Models draft-ietf-netconf-server-model-06 NETCONF WG IETF #92 Dallas, TX, USA.

NETCONF Server and RESTCONF Server Configuration Models draft-ietf-netconf-server-model-06 NETCONF WG IETF #92 Dallas, TX, USA.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Wireless Technologies Networking for Home and Small Businesses – Chapter.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Wireless Technologies Networking for Home and Small Businesses – Chapter.
draft-kwatsen-netconf-zerotouch-01

draft-kwatsen-netconf-zerotouch-01
draft-ietf-netconf-call-home-01

draft-ietf-netconf-call-home-01
Module 4: Configuring ISA Server as a Firewall. Overview Using ISA Server as a Firewall Examining Perimeter Networks and Templates Configuring System.

Module 4: Configuring ISA Server as a Firewall. Overview Using ISA Server as a Firewall Examining Perimeter Networks and Templates Configuring System.
Configuring Network Services and Protocols Lecture 2.

Configuring Network Services and Protocols Lecture 2.
draft-ietf-netconf-zerotouch

draft-ietf-netconf-zerotouch
July 16, 20031 Diameter EAP Application (draft-ietf-aaa-eap-02.txt) on behalf of...

July 16, Diameter EAP Application (draft-ietf-aaa-eap-02.txt) on behalf of...
SHIM6 Protocol Drafts Overview Geoff Huston, Marcelo Bagnulo, Erik Nordmark.

SHIM6 Protocol Drafts Overview Geoff Huston, Marcelo Bagnulo, Erik Nordmark.
SEC-2014-0417-Identity_of_registrar_CSE Identity of Registrar CSE Group Name: SEC, ARC and PRO Source:FUJITSU Meeting Date: 2014-09-18 Agenda Item: Authentication.

SEC Identity_of_registrar_CSE Identity of Registrar CSE Group Name: SEC, ARC and PRO Source:FUJITSU Meeting Date: Agenda Item: Authentication.
Insert Your Name Insert Your Title Insert Date Client Registration Open Issues Update 5/27/2011 Denis Pochuev (original proposal by Alan Frindell)

Insert Your Name Insert Your Title Insert Date Client Registration Open Issues Update 5/27/2011 Denis Pochuev (original proposal by Alan Frindell)

Similar presentations

Ads by Google